The U.S. Department of Health and Human Services’ Office for Civil Rights updated the Change Healthcare cybersecurity incident FAQ page on Friday to address questions the agency has received about the unit’s who is responsible for making breach notifications to HHS, affected individuals, and if applicable, the media.
WHY IS IT IMPORTANT?
Published on April 19, the FAQ covers HIPAA rules as it relates to the February 9 cybersecurity incident affecting Change Healthcare, a unit of UnitedHealth Group, that affected widely affects healthcare organizations across the United States.
“Our updated FAQ webpage on the Change Healthcare breach reiterates that importance by clarifying that individuals affected by this breach must be notified that their protected health information has been breached.”
OCR says to avoid sending duplicate messages to patients:
- Organizations affected by a Change Healthcare breach may delegate to Change Healthcare the task of providing required HIPAA breach notifications on their behalf.
- Only one entity – either the entity itself or Change Healthcare – needs to complete breach notifications to affected individuals, HHS, and the media, if applicable.
The agency notes that HIPAA-covered entities that work with Change Healthcare “to make required breach notifications in a manner consistent with the HITECH Act and the HIPAA Breach Notification Rule” will not be subject to the additional notification obligations.
BIGGER TREND
In April, the Healthcare Group Management Association sent a letter asking HHS to ensure providers would avoid legal action related to the Change Healthcare attack and requiring UHG to issue breach notices HIPAA required.
UHG commits to “help relieve reporting obligations for other stakeholders whose data may have been compromised as part of this cyberattack” and offers to “provide notification and make inquiries related administration on behalf of any supplier or customer”.
Going forward, chain-reaction breaches like the Change Healthcare attack and the subsequent outages affecting a wide range of healthcare ecosystems could become much more confusing in terms of breach notification. violation. The Federal Trade Commission is looking to amend and expand its Health Breach Notification Rule to apply to entities, such as third-party prescription apps, that were not previously covered by HIPAA.
ON PROFILE
“Affected covered entities who wish to have Change Healthcare provide a breach notification on their behalf should contact Change Healthcare,” Fontes Rainer said in a statement. “All required HIPAA violation notifications may be made by Change Healthcare.”
Andrea Fox is a senior editor at Healthcare IT News.
Email: [email protected]
Healthcare IT News is a publication of HIMSS Media.
